On Thu, Oct 13, 2016 at 04:39:39PM +0000, Ben Irving wrote:
> I have ran into a very similar use case. In my case I'm using Haproxy to
> route tcp requests based on the server name indication to upstream web
> servers where the TLS request is terminated. The ACME client is also
> running on these upstream web servers. I'm forced to use HTTP-01 challenges
> and am forced to open up port 80 as well on these upstream servers, which I
> don't want to do. I don't expect the protocol to solve my particular use
> case, but I'm also curious as to why acme.invalid was used as the suffix
> for all TLS-SNI based challenges?
One possible way to work around these sort of issues would be allowing
programmatic runtime routing control for the TLS demuxer.
And then have proxy service that validates the submitted CSRs and then
tries to obtain certificates for those.
(Allowing webservers to directly set routes would allow them to obtain
certs for other domains hosted behind the same loadbalancer.)
Acme mailing list